본문 바로가기
조회 수 2441 추천 수 0 댓글 0
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print

http://www.interlinknetworks.com/2007/10/selecting-8021x-eap-method-access-point.html


Selecting an 802.1X EAP Method: Access Point Considerations


In the last RADIUS server blog posting, we embarked on the daunting task of securing access to a wireless network with a RADIUS server.  This led us to 802.1X and the Extensible Authentication Protocol, EAP, which is at the heart of best practices for wireless network access management.Because of EAP’s extensible nature, we discussed that there are not only several network components to consider in securing the wireless network, but also many EAP Methods (protocols) from which to choose and configure in your clients and RADIUS server.  In evaluating the currently available EAP Methods, we are examining factors involving each component of the wireless network.  Because they provide the wireless connectivity, Access Points (APs) are the first and primary component that most enterprises evaluate.  We will follow suit by looking at access point issues related to supporting wireless network access management using EAP.

802.1x Support

The most important AP feature necessary for wireless access management is support for 802.1x.  This should be a requirement for enterprise wireless networks.  One cannot take this feature for granted since it is generally not available on low cost consumer access points.  802.1x is the IEEE standard for Port Based Network Access Control Included in this specification is the use of EAP for authentication.  If an Access Point supports 802.1x, then it supports EAP.


WEP (Wired Equivalent Privacy) is another term frequently found on AP datasheets.  While WEP based encryption is found often on APs using 802.1x, by itself it is not sufficient indication that EAP is supported.  Many implementations authenticate by configuring static WEP keys.  If the workstation can communicate by virtue of having the correct key, then it is authenticated.  802.1x was designed to overcome the numerous shortcomings of WEP key based authentication by authenticating user access through a RADIUS server.  Additionally, WPA/TKIP has been developed to solve the problems of WEP’s poor encryption and data integrity.


Some Access Point datasheets will mention support for RADIUS.  While RADIUS is used to transport EAP between the Access Point and the Authentication Server, it does not necessarily mean that the AP supports EAP.  Some APs perform MAC address authentication with a RADIUS server.This form of authentication falls short of EAP’s ability to provide mutual authentication, authentication of the actual user, and session encryption keys with a RADIUS server.

Once it is determined that the AP supports 802.1x, then the next question is which EAP Methods are supported.  The EAP authentication is conducted between the Supplicant (wireless device) and the RADIUS Server (Authentication Server).  It is carried over EAPOL on the wireless side of the AP and over RADIUS on the network side of the AP.  The AP only serves to relay the EAP packets, not to participate in the protocol.  Therefore, any AP that supports 802.1x should be able to support all EAP methods.  In practice, this is generally true.  There have been exceptions found during interoperability tests, but these have been determined to be bugs that the AP vendors are expected to fix.

Proprietary EAP Methods

The one exception to the rule of thumb that all EAP Methods should be supported by all 802.1x APs is Cisco’s proprietary EAP-LEAP (Lightweight Extensible Authentication Protocol).  It is only supported by APs, supplicants, and authentication servers that have licensed Cisco’s technology.  LEAP makes use of Cisco’s vendor-specific attributes (VSAs) to distribute key material.  The access point must support the Cisco VSAs and the LEAP algorithm for generating session keys from the key material.Because Cisco is a networking leader, LEAP has gained acceptance.  Other vendor’s supplicants and authentication servers support LEAP – but if an enterprise wants to standardize on LEAP, then it must use Cisco APs.

Accounting Support

Although it is not a requirement for EAP, it should be noted that some access points do not support RADIUS accounting.  This is an issue for ISPs and Wi-Fi hotspot venfors and less of an issue for enterprises that aren’t invoicing for wireless network access. However, all users might still want to implement audit trails and policies which require RADIUS accounting messages to mark the beginning and end of sessions.

Configuring EAP in the Access Point

Configuring EAP in an access point consists of four straightforward steps:

1.  Enabling 802.1x, often by checking a box on a web form

2.  Entering the authentication server’s IP address

3.  Entering the authentication server’s port number (usually 1812)

4.  Entering the secret shared with the authentication server


In conclusion, beyond the need to support 802.1x, the access point does not need to be a determining factor in which EAP Method to choose.  The key is recognizing which access points support 802.1x.  From there, enabling 802.1x and configuring communication with the authentication server is fairly straightforward.  There is no need to configure a specific EAP method within the access point.


Choosing and configuring an EAP Method becomes more involved as we look at the supplicant and RADIUS server (authentication server in upcoming blog posts.



Title
List of Articles
번호 제목 글쓴이 날짜 조회 수
92 Intermediate certificate authorities Hojung 2008.05.21 206806
91 PMTU (Path MTU) Discovery Hojung 2008.04.17 43734
90 TCP Connection Open (Good) Hojung 2011.02.01 33516
89 IPSec Hojung 2007.11.22 31117
88 A TCP Tutorial Hojung 2009.11.13 29038
87 Wireshark를 이용한 SSL 트래픽 분석하기 file Hojung 2008.07.08 27699
86 SIP 개념잡기 Hojung 2008.03.26 23676
85 some brief explanations about MSS (Maximum Segment Size) Hojung 2011.04.01 21180
84 SIP Call Flow (State/Timer 중심으로) Hojung 2008.03.26 19975
83 XML, SOAP, WSDL, UDDI 설명 (Good) Hojung 2012.02.02 18898
82 TCP Connection Close (Good) Hojung 2011.02.01 17903
81 SSL handshake Hojung 2008.04.02 17621
80 IEEE 802.1Q Virtual VLAN (VLAN 태깅) file Hojung 2007.12.04 16923
79 Explicit Versus Implicit FTP - SSL (ftps) file Hojung 2011.04.10 15544
78 GRE 터널 사용시 MSS 문제 Hojung 2010.07.18 13867
77 [switch vs bridge]2탄 - 둘의 차이와 생김새가 궁금해요 file Hojung 2007.12.04 13792
76 SIP Proxy Server 개념잡기 Hojung 2008.03.26 13622
75 SIP Client/Server Transaction 개념잡기 Hojung 2008.03.26 13363
74 STP (Spanning Tree Protocol) file Hojung 2008.04.17 13247
73 SIP REGISTER 메시지 처리 절차 file Hojung 2008.03.26 13196
Board Pagination ‹ Prev 1 2 3 4 5 Next ›
/ 5

Designed by sketchbooks.co.kr / sketchbook5 board skin

나눔글꼴 설치 안내


이 PC에는 나눔글꼴이 설치되어 있지 않습니다.

이 사이트를 나눔글꼴로 보기 위해서는
나눔글꼴을 설치해야 합니다.

설치 취소

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5